GSSAPI contexts used in multiple threads

Ken Raeburn raeburn at MIT.EDU
Tue Mar 4 16:12:12 EST 2008

On Mar 4, 2008, at 14:13, Russ Allbery wrote:
> It's quite possible that it does and that I'd just misunderstood the
> guarantees.  OpenLDAP had trouble in the past but I think it was  
> stable
> (if slow due to the replay cache) under load with a recent MIT  
> Kerberos,
> but threading bugs can be hard to find even under heavy load.

Perhaps we should check if it's safe to not do replay caches in  
certain cases (i.e., server-provided subkey always used in all known  
protocols using a given service principal name) and make them default  
to not using a replay cache.

It wouldn't surprise me if changing the krb5.conf config file while  
the program is running could cause races, as several functions in our  
library will re-read the config file when it changes, re-parse it,  
etc., but I haven't reviewed if any of those functions are likely to  
get called in the OpenLDAP case.


More information about the krbdev mailing list